Computers and networks are often protected by passwords. In order to gain access to the computer or network, a user must enter a password. The computer or network controller (server) authenticates the password by comparing the password entered by the user with a stored password. If the entered password matches the stored password, the user is given access. If not, the user is denied access.
A major problem with password-protected computer systems is the already large and growing threat from “hackers.” The popular definition of a hacker refers to individuals who gain unauthorized access to computer systems for the purpose of stealing and/or corrupting data. Hackers are known for breaking into supposedly secure computer systems and damaging web sites, credit card accounts, internal databases, and the like.
Hacker software tools include programs that try many combinations of numbers and letters over a set period of time in an attempt to compromise a password-protected system. On some computer operating systems, as each letter or number is presented by the hacker, the letter or number is confirmed by the system as being correct or incorrect. This serial confirmation sequence actually makes it easier for a hacker to gain entry because fewer combinations of letters and numbers have to be tried. On other operating systems, the password must be completely entered correctly before confirmation is supplied by the system. This may slow down the password discovery process, but with time, the hacker can eventually present a correct password to the target computer system.
A passive hacker may monitor communications between a client device and an authentication server to learn the user's password. The passive hacker may then use the learned password to gain access to the server at a later time. For this reason, many organizations have their users periodically change their passwords. This is a great inconvenience for the users. To defeat the passive hacker, solutions have been tried which change the password for each access. Each time the user logs on, the user types his personal password plus a six-digit number which changes for every logon attempt. Once again, this is a great inconvenience for the user.
An active hacker may actually intercept and alter data packets sent from the client device to the authentication server, preventing the original packets from arriving at the server. The active hacker may then alter the data contents of the packets or may alter address information, thereby posing as the authorized user. The above solution of adding a changing six-digit number to the user's personal password does not defeat this type of active hacker if the hacker can access the server while the changing number is still valid.
In another type of active hacking, the hacker intercepts and alters the destination address of the client's data packets to a fake website which simulates the website the user was trying to reach. For example, the hacker may reroute a user to a fake website which is set up to appear as the user's bank. In an alternative form of this technique, known as phishing, the hacker sends an e-mail to the user posing as his bank's security department and asks the user to click on a link to verify his account information. The link takes the user to a fake site where the user is asked to enter his password and his account number. The hacker then uses this information to access the user's account at his bank.
In yet another type of hacking, the hacker may install a program known as a Trojan on the user's computer. The Trojan may search for data files on the user's computer and transmit them over a network connection to the hacker. Alternatively, a program known as a “key-logging program” may monitor the user's keyboard and capture the keystrokes as the user enters his User ID and password. The Trojan then reports the User ID and password to the hacker who uses it to gain access to the user's protected information.
A solution for countering all of the above hacker threats has been described in U.S. Pat. Nos. 7,581,113; 7,555,655; 7,600,128; 7,5797,251; 7,907,542; and U.S. patent application Ser. No. 12/218,009; all co-owned by the assignee of the instant application. In those patents, a USB plug-in device is inserted into a USB port on the user's computer and is utilized to securely store a database of second factors that are added to, or otherwise used to modify, password characters entered into the computer by a user.